Managing Dependency Hygiene

Overview

The OpenSSF Scorecard is a security health assessment tool developed by the Open Source Security Foundation (OpenSSF). It automatically evaluates open source projects against a set of well-defined security best practices. The Scorecard outputs a score between 0 and 10, providing insights into how secure and trustworthy a project is based on its development practices.

At Heeler, we integrate the Scorecard to help you assess the security posture of your open source dependencies, enabling faster and more informed decisions around risk acceptance, policy enforcement, and remediation.

Why It Matters

Open source software is foundational to modern applications, but not all projects follow the same security standards. The Scorecard helps answer critical questions:

  • Is this dependency actively maintained?

  • Are vulnerabilities being addressed in a timely manner?

  • Are development practices aligned with modern security expectations?

By incorporating Scorecard scores, Heeler enables you to:

  • Detect high-risk dependencies early.

  • Set automated guardrails (e.g., warn or block based on score thresholds).

  • Track improvement (or decay) in dependency posture over time.

  • Prioritize remediation based on objective signals, not just CVEs.

Background on the Scorecard

The Scorecard evaluates projects across more than 20 security checks, including:

Check

What It Measures

CI Tests

Is there automated testing in place?

Maintained

Is the project actively maintained?

Security Policy

Is there a documented security policy?

Signed Releases

Are release artifacts cryptographically signed?

Dependency Updates

Are tools like Dependabot in use?

Vulnerabilities

Are known vulnerabilities being remediated quickly?

Token Permissions

Are GitHub tokens scoped minimally in workflows?

Each check contributes to the overall score, which is not a guarantee of security, but a proxy for security maturity.

Score Interpretation

Score Range

Interpretation

Typical Actions

0–3.9

High risk, missing core practices

Block or flag for manual review

4–6.9

Some good practices, but inconsistent

Monitor closely, validate key controls

7–8.9

Solid posture, mostly secure practices

Accept with caution, track updates

9–10

Strong adherence to best practices

Safe to trust in production, revalidate periodically

Heeler Recommendations

  • Adopt only dependencies with score ≥ 7.0

  • Flag dependencies below 4.0 for manual review

  • Set Guardrails requiring score ≥ 7.0

PreviousUse CasesNextManaging Unmaintained Dependencies

Last updated

Was this helpful?